Profile Applicability:

  • Level 1

Description:

Ensure that the ownership of the scheduler.conf file is set to root:root. This ensures that only the root user and root group have ownership and control over the file, preventing unauthorized access or modification.

Rationale:

Setting the ownership of the scheduler.conf file to root:root ensures that the file is controlled by the root user and group. This reduces the risk of unauthorized access or tampering with critical configuration files, maintaining the security and integrity of the Kubernetes scheduler configuration.

Impact:

Pros:

  • Ensures proper access control by restricting ownership to trusted administrators (root).

  • Prevents unauthorized users from modifying the configuration, thereby protecting the stability and security of the Kubernetes scheduler.

Cons:

  • If ownership is misconfigured, it could cause operational issues, especially during system updates or troubleshooting.

Default Value:

The scheduler.conf file is not configured by default to have ownership set to root:root. It requires manual configuration to ensure proper ownership.

Pre-Requisites:

  • Access to the scheduler.conf file.

  • Sufficient privileges (root or administrator access) to modify file ownership.

  • A Kubernetes environment configured to manage secure file ownership.

Test Plan:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Open the Amazon Elastic Kubernetes Service (EKS) console.

  3. Navigate to the "Workloads" section and locate the pod or node running the Kubernetes scheduler.

  4. Check the ownership of the scheduler.conf file to ensure it is set to root:root.

  5. Verify that only authorized users (root) have ownership of the file.

Using AWS CLI:

Use the following command to check the ownership of the scheduler.conf file:

kubectl exec -it <node-name> -- ls -l /etc/kubernetes/scheduler.conf

Ensure that the file ownership is set to root:root. If not, run the following command to correct it:

sudo chown root:root /etc/kubernetes/scheduler.conf

Implementation Plan:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Open the EKS service and navigate to the "Workloads" section.

  3. Locate the pod or node running the Kubernetes scheduler.

  4. Review the ownership of the scheduler.conf file.

  5. If the ownership is not set to root:root, modify the file ownership by accessing the node and updating the ownership to root:root.

Using AWS CLI:

Identify the node where the scheduler.conf file is located:

kubectl get nodes

Access the node and check the ownership of the scheduler.conf file:

kubectl exec -it <node-name> -- ls -l /etc/kubernetes/scheduler.conf

If needed, change the ownership:

sudo chown root:root /etc/kubernetes/scheduler.conf

Backout Plan:

Using AWS Console:

  1. Sign in to the AWS Console.

  2. Navigate to the instance or node where the scheduler.conf file is stored.

  3. Review the ownership of the scheduler.conf file.

  4. Modify the file ownership to ensure it is correctly set to root:root.

  5. Confirm that the ownership changes are applied successfully.

Using AWS CLI:

To revert the ownership to a less secure setting, run the following command:

sudo chown <user>:<group> /etc/kubernetes/scheduler.conf

References: